Sign-up

ID

VAR-201803-1755


CVE

CVE-2018-2365


TITLE

SAP Netweaver Portal WebDynpro Java Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2018-002507

DESCRIPTION

SAP NetWeaver Portal, WebDynpro Java, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. Remote attackers can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks

Trust: 1.89

sources: NVD: CVE-2018-2365 // JVNDB: JVNDB-2018-002507 // BID: 102999

AFFECTED PRODUCTS

vendor:sapmodel:netweaver portalscope:eqversion:7.40

Trust: 1.6

vendor:sapmodel:netweaver portalscope:eqversion:7.30

Trust: 1.6

vendor:sapmodel:netweaver portalscope:eqversion:7.50

Trust: 1.6

vendor:sapmodel:netweaver portalscope:eqversion:7.31

Trust: 1.6

vendor:sapmodel:netweaver portalscope: - version: -

Trust: 0.8

vendor:sapmodel:netweaverscope:eqversion:7.50

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:7.40

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:7.31

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:7.30

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:0

Trust: 0.3

sources: BID: 102999 // JVNDB: JVNDB-2018-002507 // CNNVD: CNNVD-201803-035 // NVD: CVE-2018-2365

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-2365
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-2365
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201803-035
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2018-2365
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2018-2365
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: JVNDB: JVNDB-2018-002507 // CNNVD: CNNVD-201803-035 // NVD: CVE-2018-2365

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2018-002507 // NVD: CVE-2018-2365

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201803-035

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201803-035

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-002507

PATCH
title:February 2018 (2547977)url:https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/
Trust: 0.8
title:SAP NetWeaver RunTime Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=78830
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-002507 // 
            
            
            
            CNNVD: CNNVD-201803-035

EXTERNAL IDS
db:NVDid:CVE-2018-2365
Trust: 2.7
db:BIDid:102999
Trust: 2.1
db:JVNDBid:JVNDB-2018-002507
Trust: 0.8
db:CNNVDid:CNNVD-201803-035
Trust: 0.6
sources:
            
            
            BID: 102999 // 
            
            
            
            JVNDB: JVNDB-2018-002507 // 
            
            
            
            CNNVD: CNNVD-201803-035 // 
            
            
            
            NVD: CVE-2018-2365

REFERENCES
url:https://launchpad.support.sap.com/#/notes/2547977
Trust: 1.9
url:https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/
Trust: 1.9
url:http://www.securityfocus.com/bid/102999
Trust: 1.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-2365
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-2365
Trust: 0.8
url:http://www.sap.com
Trust: 0.3
sources:
            
            
            BID: 102999 // 
            
            
            
            JVNDB: JVNDB-2018-002507 // 
            
            
            
            CNNVD: CNNVD-201803-035 // 
            
            
            
            NVD: CVE-2018-2365

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 102999

SOURCES
db:BIDid:102999
db:JVNDBid:JVNDB-2018-002507
db:CNNVDid:CNNVD-201803-035
db:NVDid:CVE-2018-2365

LAST UPDATE DATE
2024-11-23T23:02:11.781000+00:00

SOURCES UPDATE DATE
db:BIDid:102999date:2018-02-13T00:00:00
db:JVNDBid:JVNDB-2018-002507date:2018-04-16T00:00:00
db:CNNVDid:CNNVD-201803-035date:2018-03-05T00:00:00
db:NVDid:CVE-2018-2365date:2024-11-21T04:03:41.203

SOURCES RELEASE DATE
db:BIDid:102999date:2018-02-13T00:00:00
db:JVNDBid:JVNDB-2018-002507date:2018-04-16T00:00:00
db:CNNVDid:CNNVD-201803-035date:2018-03-05T00:00:00
db:NVDid:CVE-2018-2365date:2018-03-01T17:29:00.227